AviationGermanwings flight 4U9525: a victim of the deadlock between safety and security demands

By Yijun Yu

Published 30 March 2015

People often confuse “security” and “safety,” but conceptually, these terms are different from each other. Security offers protection from intentional attacks, while safety is to prevent from natural accidents. While some security incidents can be accidental, or made to look accidental, some element of usually malicious intent is involved. The trade-off in both security and safety risks in this context is hard because the probability of accidents can be modelled while human intention cannot. One could try to estimate the probability of someone having bad intentions, especially pilots, but in the end it’s not possible to square one with the other — it is to compare apples with oranges. The Germanwings flight 4U9525, in which the pilot was locked out of the cockpit, shows that we need to reassess the risks and arguments around safety and security in the context of aviation, and find ways of bringing together hardware, software, and the flight crew themselves — perhaps through health monitoring devices — in order to ensure that both these demands work together, and do not become a threat in themselves.

It seems incredible that a pilot of a passenger airline could be locked out of the cockpit. But analysis from the cockpit voice recorder recovered from Germanwings flight 4U9525 after it ploughed into the Southern Alps in France has revealed that this is what happened and that one of the two pilots had been trying to get into the cockpit before the crash.

An initial explanation that the pilot at the controls was incapacitated, perhaps from a heart attack, has since given way to an alternative given by French investigators: that the co-pilot in the cockpit — named in reports as Andreas Lubitz — deliberately prevented the captain from entering in order to destroy the aircraft.

Following the September 11 attacks in New York in 2001, passenger aircraft cockpit doors have been reinforced in order to be made secure, and even bulletproof.

Access to the cockpit must be locked during flight, preventing passengers from forcing entry onto the flight deck so that pilots can safely fly the aircraft and manage any situation without worrying about potential hijackers. For the safety of the pilots the cockpit door must open at the pilot’s command from the flight deck, for example when there is no apparent risk of malicious attack. The outside of the cockpit door is secured by a keypad, to which the crew have the codes. But the request from the keypad to open the door must be confirmed by the pilot who remains inside.

It has become apparent that these two aspects — safety and security — are not always achievable at the same time. In the event of an incident like this, they even work against each other.

A trade-off between safety and security
People often confuse “security” and “safety.” In Chinese the two words are exactly the same. However, conceptually they are different.

Security offers protection from intentional attacks, while safety is to prevent from natural accidents. While some security incidents can be accidental, or made to look accidental, some element of usually malicious intent is involved.

The trade-off in both security and safety risks in this context is hard because the probability of accidents can be modelled while human intention cannot. One could try to estimate the probability of someone having bad intentions, especially pilots, but in the end it’s not possible to square one with the other — it is to compare apples with oranges.